DNS Glue Requirements in Referral Responses

DNS Glue Requirements in Referral Responses ISC

marka@isc.org

Salesforce

shuque@gmail.com

Aiven

paul.wouters@aiven.io

Verisign

dwessels@verisign.com

ops dnsop Glue Record In-Domain Name Server Sibling Domain Name Server The DNS uses glue records to allow iterative clients to find the addresses of name servers that are contained within a delegated zone. Authoritative servers are expected to return all available glue records for in-domain name servers in a referral response. If message size constraints prevent the inclusion of all glue records for in-domain name servers, the server must set the TC (Truncated) flag to inform the client that the response is incomplete and that the client should use another transport to retrieve the full response. This document updates RFC 1034 to clarify correct server behavior.

Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .

Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.

Table of Contents

. Introduction
- . Requirements Language
. Types of Glue in Referral Responses
- . Glue for In-Domain Name Servers
- . Glue for Sibling Domain Name Servers
- . Glue for Cyclic Sibling Domain Name Servers
- . Missing Glue
. Requirements
- . Glue for In-Domain Name Servers
- . Glue for Sibling Domain Name Servers
- . Update to RFC 1034
. Security Considerations
. Operational Considerations
. IANA Considerations
. References
- . Normative References
- . Informative References
Acknowledgements
Authors' Addresses

Introduction The Domain Name System (DNS) uses glue records to allow iterative clients to find the addresses of name servers that are contained within a delegated zone. Glue records are added to the parent zone as part of the delegation process and returned in referral responses; otherwise, a resolver following the referral has no way of finding these addresses. Authoritative servers are expected to return all available glue records for in-domain name servers in a referral response. If message size constraints prevent the inclusion of all glue records for in-domain name servers over the chosen transport, the server MUST set the TC (Truncated) flag to inform the client that the response is incomplete and that the client SHOULD use another transport to retrieve the full response. This document clarifies that expectation. DNS responses sometimes contain optional data in the additional section. In-domain glue records, however, are not optional. Several other protocol extensions, when used, are also not optional. This includes TSIG , OPT , and SIG(0) . At the time of this writing, addresses (A or AAAA records) for a delegation's authoritative name servers are the only type of glue defined for the DNS. Note that this document only clarifies requirements for name server software implementations. It does not introduce or change any requirements regarding data placed in DNS zones or registries. In other words, this document only makes requirements regarding "available glue records" (i.e., those given in a zone) but does not make requirements regarding their presence in a zone. If some glue records are absent from a given zone, an authoritative name server may be unable to return a useful referral response for the corresponding domain. The IETF may want to consider a separate update to the requirements for including glue in zone data, beyond those given in and . This document assumes a reasonable level of familiarity with DNS operations and protocol terms. Much of the terminology is explained in further detail in "" .

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Types of Glue in Referral Responses This section describes different types of glue that may be found in DNS referral responses. Note that the type of glue depends on the QNAME. A particular name server (and its corresponding glue record) can be in-domain for one response and in a sibling domain for another.

Glue for In-Domain Name Servers The following is a simple example of glue records present in the delegating zone "test" for the child zone "foo.test". The name servers for foo.test (ns1.foo.test and ns2.foo.test) are both below the delegation point. They are configured as glue records in the "test" zone: foo.test. 86400 IN NS ns1.foo.test. foo.test. 86400 IN NS ns2.foo.test. ns1.foo.test. 86400 IN A 192.0.2.1 ns2.foo.test. 86400 IN AAAA 2001:db8::2:2 A referral response from "test" for "foo.test" with glue for in-domain name servers looks like this: ;; QUESTION SECTION: ;www.foo.test. IN A ;; AUTHORITY SECTION: foo.test. 86400 IN NS ns1.foo.test. foo.test. 86400 IN NS ns2.foo.test. ;; ADDITIONAL SECTION: ns1.foo.test. 86400 IN A 192.0.2.1 ns2.foo.test. 86400 IN AAAA 2001:db8::2:2

Glue for Sibling Domain Name Servers Sibling domain name servers are NS records that are not contained in the delegated zone itself but rather are contained in another zone delegated from the same parent. In many cases, glue for sibling domain name servers is not strictly required for resolution, since the resolver can make follow-on queries to the sibling zone to resolve the name server addresses (after following the referral to the sibling zone). However, most name server implementations today provide them as an optimization to obviate the need for extra traffic from iterative resolvers. Here, the delegating zone "test" contains two delegations for the child zones "bar.test" and "foo.test": bar.test. 86400 IN NS ns1.bar.test. bar.test. 86400 IN NS ns2.bar.test. ns1.bar.test. 86400 IN A 192.0.2.1 ns2.bar.test. 86400 IN AAAA 2001:db8::2:2 foo.test. 86400 IN NS ns1.bar.test. foo.test. 86400 IN NS ns2.bar.test. A referral response from "test" for "foo.test" with glue for sibling domain name servers looks like this: ;; QUESTION SECTION: ;www.foo.test. IN A ;; AUTHORITY SECTION: foo.test. 86400 IN NS ns1.bar.test. foo.test. 86400 IN NS ns2.bar.test. ;; ADDITIONAL SECTION: ns1.bar.test. 86400 IN A 192.0.2.1 ns2.bar.test. 86400 IN AAAA 2001:db8::2:2

Glue for Cyclic Sibling Domain Name Servers The use of sibling domain name servers can introduce cyclic dependencies. This happens when one domain specifies name servers from a sibling domain, and vice versa. This type of cyclic dependency can only be broken when the delegating name server includes glue for the sibling domain in a referral response. Here, the delegating zone "test" contains two delegations for the child zones "bar.test" and "foo.test", and each uses name servers under the other: bar.test. 86400 IN NS ns1.foo.test. bar.test. 86400 IN NS ns2.foo.test. ns1.bar.test. 86400 IN A 192.0.2.1 ns2.bar.test. 86400 IN AAAA 2001:db8::2:2 foo.test. 86400 IN NS ns1.bar.test. foo.test. 86400 IN NS ns2.bar.test. ns1.foo.test. 86400 IN A 192.0.2.3 ns2.foo.test. 86400 IN AAAA 2001:db8::2:4 A referral response from "test" for "bar.test" with glue for sibling domain name servers looks like this: ;; QUESTION SECTION: ;www.bar.test. IN A ;; AUTHORITY SECTION: bar.test. 86400 IN NS ns1.foo.test. bar.test. 86400 IN NS ns2.foo.test. ;; ADDITIONAL SECTION: ns1.foo.test. 86400 IN A 192.0.2.3 ns2.foo.test. 86400 IN AAAA 2001:db8::2:4 In late 2021, the authors analyzed zone file data available from ICANN's Centralized Zone Data Service and found 222 out of approximately 209,000,000 total delegations that had only sibling domain NS Resource Records (RRs) in a cyclic dependency as above.

Missing Glue An example of missing glue is included here, even though it cannot be considered as a type of glue. While not common, real examples of responses that lack required glue, and with TC=0, have been shown to occur and cause resolution failures. The example below, from the dig command , is based on a response observed in June 2020. The names have been altered to fall under documentation domains. It shows a case where none of the glue records present in the zone fit into the available space of the UDP response, and the TC flag was not set. While this example shows a referral with DNSSEC records , this behavior has been seen with plain DNS responses as well. Some records have been truncated for display purposes. Note that at the time of this writing, the servers originally responsible for this example have been updated and now correctly set the TC flag. % dig +norec +dnssec +bufsize=512 +ignore @ns.example.net \ rh202ns2.355.foo.example ; <<>> DiG 9.15.4 <<>> +norec +dnssec +bufsize +ignore \ @ns.example.net rh202ns2.355.foo.example ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8798 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;rh202ns2.355.foo.example. IN A ;; AUTHORITY SECTION: foo.example. 86400 IN NS rh120ns2.368.foo.example. foo.example. 86400 IN NS rh202ns2.355.foo.example. foo.example. 86400 IN NS rh120ns1.368.foo.example. foo.example. 86400 IN NS rh202ns1.355.foo.example. foo.example. 3600 IN DS 51937 8 1 ... foo.example. 3600 IN DS 635 8 2 ... foo.example. 3600 IN DS 51937 8 2 ... foo.example. 3600 IN DS 635 8 1 ... foo.example. 3600 IN RRSIG DS 8 2 3600 ...

Requirements This section describes updated requirements for including glue in DNS referral responses.

Glue for In-Domain Name Servers This document clarifies that when a name server generates a referral response, it MUST include all available glue records for in-domain name servers in the additional section or MUST set TC=1 if constrained by message size. At the time of this writing, most iterative clients send initial queries over UDP and retry over TCP upon receiving a response with the TC flag set. UDP responses are generally limited to between 1232 and 4096 bytes, due to values commonly used for the EDNS0 UDP Message Size field . TCP responses are limited to 65,535 bytes.

Glue for Sibling Domain Name Servers This document clarifies that when a name server generates a referral response, it SHOULD include all available glue records in the additional section. If, after adding glue for all in-domain name servers, the glue for all sibling domain name servers does not fit due to message size constraints, the name server MAY set TC=1 but is not obligated to do so. Note that users may experience resolution failures for domains with cyclically dependent sibling name servers when the delegating name server chooses to omit the corresponding glue in a referral response. As described in , such domains are rare.

Update to RFC 1034 OLD:

Copy the NS RRs for the subzone into the authority section of the reply. Put whatever addresses are available into the additional section, using glue RRs if the addresses are not available from authoritative data or the cache. Go to step 4.

NEW:

Copy the NS RRs for the subzone into the authority section of the reply. Put whatever NS addresses are available into the additional section, using glue RRs if the addresses are not available from authoritative data or the cache. If all glue RRs for in-domain name servers do not fit, set TC=1 in the header. Go to step 4.

Security Considerations This document clarifies correct DNS server behavior and does not introduce any changes or new security considerations.

Operational Considerations At the time of this writing, the behavior of most DNS server implementations is to set the TC flag only if none of the available glue records fit in a response over UDP transport. The updated requirements in this document might lead to an increase in the fraction of UDP responses with the TC flag set and, consequently, an increase in the number of queries received over TCP transport.

IANA Considerations This document has no IANA actions.

References Normative References Domain names - concepts and facilities This RFC is the revised basic definition of The Domain Name System. It obsoletes RFC-882. This memo describes the domain style names and their used for host address look up and electronic mail forwarding. It discusses the clients and servers in the domain name system and the protocol used between them. Domain names - implementation and specification This RFC is the revised specification of the protocol and format used in the implementation of the Domain Name System. It obsoletes RFC-883. This memo documents the details of the domain name client - server communication. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References Centralized Zone Data Service ICANN dig (command) Wikipedia DNS Flag Day 2020 Various DNS software and service providers DNS Request and Transaction Signatures ( SIG(0)s ) This document describes the minor but non-interoperable changes in Request and Transaction signature resource records ( SIG(0)s ) that implementation experience has deemed necessary. [STANDARDS-TRACK] DNS Security Introduction and Requirements The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System. This document introduces these extensions and describes their capabilities and limitations. This document also discusses the services that the DNS security extensions do and do not provide. Last, this document describes the interrelationships between the documents that collectively describe DNSSEC. [STANDARDS-TRACK] Resource Records for the DNS Security Extensions This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of resource records and protocol modifications that provide source authentication for the DNS. This document defines the public key (DNSKEY), delegation signer (DS), resource record digital signature (RRSIG), and authenticated denial of existence (NSEC) resource records. The purpose and format of each resource record is described in detail, and an example of each resource record is given. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK] Protocol Modifications for the DNS Security Extensions This document is part of a family of documents that describe the DNS Security Extensions (DNSSEC). The DNS Security Extensions are a collection of new resource records and protocol modifications that add data origin authentication and data integrity to the DNS. This document describes the DNSSEC protocol modifications. This document defines the concept of a signed zone, along with the requirements for serving and resolving by using DNSSEC. These techniques allow a security-aware resolver to authenticate both DNS resource records and authoritative DNS error indications. This document obsoletes RFC 2535 and incorporates changes from all updates to RFC 2535. [STANDARDS-TRACK] Extension Mechanisms for DNS (EDNS(0)) The Domain Name System's wire protocol includes a number of fixed fields whose range has been or soon will be exhausted and does not allow requestors to advertise their capabilities to responders. This document describes backward-compatible mechanisms for allowing the protocol to grow. This document updates the Extension Mechanisms for DNS (EDNS(0)) specification (and obsoletes RFC 2671) based on feedback from deployment experience in several implementations. It also obsoletes RFC 2673 ("Binary Labels in the Domain Name System") and adds considerations on the use of extended labels in the DNS. DNS Terminology The Domain Name System (DNS) is defined in literally dozens of different RFCs. The terminology used by implementers and developers of DNS protocols, and by operators of DNS systems, has sometimes changed in the decades since the DNS was first defined. This document gives current definitions for many of the terms used in the DNS in a single document. This document obsoletes RFC 7719 and updates RFC 2308. Secret Key Transaction Authentication for DNS (TSIG) This document describes a protocol for transaction-level authentication using shared secrets and one-way hashing. It can be used to authenticate dynamic updates to a DNS zone as coming from an approved client or to authenticate responses as coming from an approved name server. No recommendation is made here for distributing the shared secrets; it is expected that a network administrator will statically configure name servers and clients using some out-of-band mechanism. This document obsoletes RFCs 2845 and 4635.

Acknowledgements The authors wish to thank , , , , , , , , , , , , , , , , , , and other members of the DNSOP Working Group for their input.